Critical Bash Vulnerability Leaves Systems Open to Attack

A vulnerability (CVE-2014-6271) has been discovered in the GNU Bourne Again Shell (bash) that can be exploited to execute code.

The flaw was discovered by Stephane Chazelas, and is related to how bash evaluates specially-crafted environment variables.

A large number of programs on Linux and other UNIX systems use bash to set up environment variables that are then used while executing other programs, explained Jim Reavis, CEO of the Cloud Security Alliance (CSA).

"Examples of this include Web servers running CGI scripts and even email clients and web clients that pass files to external programs for display such as a video file or a sound file," he blogged. "In short this vulnerability allows attackers to cause arbitrary command execution, remotely, for example by setting headers in a web request, or by setting weird mime types for example."

Patches are being rolled out from the major Linux distributors, including from Red Hat (Red Hat Enterprise Linux versions 4 through 7 and Fedora); CentOS versions 5 through 7; Debian and Ubuntu 10.04 LTS, 12.04 LTS and 14.04 LTS.

In Linux, environment variables provide a way to influence the behavior of software on the system, blogged Huzaifa Sidhpurwala, security engineer at Red Hat.

"The same is true of the bash shell. It is common for a lot of programs to run bash shell in the background," Sidhpurwala noted. "It is often used to provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc). Coming back to the topic, the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents."

The patch used to fix this flaw ensures no code is allowed after the end of a bash function, Sidhpurwala blogged.

Bash is a popular shell, and is available on other flavors of UNIX besides Linux, noted Garve Hays, solutions architect at NetIQ. The vulnerability, he added, could also have a "long tail" effect in that not all servers will get updated and will remain exposed.

Attackers can use this vulnerability to attack a variety of devices and web servers and take over the operating system, make changes or perform other actions, said Tod Beardsley, engineering manager at Rapid7.

"It’s rated a 10 for severity, meaning it has maximum impact, and “low” for complexity of exploitation – meaning it’s pretty easy for attackers to use it," Beardsley said in a statement.

"The affected software, bash, is widely used so attackers can use this vulnerability to remotely execute a huge variety of devices and web servers," he continued.

"Anybody with systems using bash needs to deploy the patch immediately,” Beardsley said.